FTP traffic shaping

fourat
2011-11-14
2013-03-05
  • fourat
    fourat
    2011-11-14

    Based on this example it is possible to apply traffic shaping on the classified packets, i'm wondering how to t. shape ftp session trasferts, any idea ?

    Thanks

     
  • Vadim Kurland
    Vadim Kurland
    2011-11-15

    ftp uses two sessions, one for the control commands and another for data transfer. You probably need to apply traffic shaping to the latter. However netfilter is smart and dynamically opens the firewall for the data channel when it sees corresponding command in the command channel. This means you normally do not need separate rule in your firewall policy for the data channel connection. If you want to classify data channel packets for traffic shaping, you need to add a new rule with action "Continue" and rule options to classify packets. Data channel tcp connection is opened from port 20 to an arbitrary port on the client side (note that in this case port 20 is _source_ port).   Fwbuilder provides tcp service object for this in the Standard objects library, its name is "ftp data". To match data channel tcp session  you just put this object in the "Service" field of the new rule.

     
  • fourat
    fourat
    2011-11-15

    Here's my two rules (9 and 10).

    The 9th rule get logged whenever i connect and authenticate to my ftp server, once i start any file upload i don't get rule #10 logged as if it were not matched at all, this is why i cant t-shape ftp transferts.

    Here's my post-config script:

    # rates are in kbit/sec
    RATE_DEFAULT=1024
    RATE_BACKUPFTP=1
    tc qdisc del dev tun0 root >/dev/null 2>&1
    tc qdisc add dev tun0 root handle 1: htb
    tc class add dev tun0 parent 1: classid 1:1 htb rate ${RATE_DEFAULT}kbit ceil ${RATE_DEFAULT}kbit
    tc class add dev tun0 parent 1:1 classid 1:10 htb rate 1kbit ceil ${RATE_BACKUPFTP}kbit
    

    The ftp transfert is set to 1kbot for testing purpose …

     
  • Vadim Kurland
    Vadim Kurland
    2011-11-15

    I forgot to mention that ftp data channel session is matches iptables state "RELATED" which is permitted by a rule fwbuilder adds at the top of the generated script automatically. This is why your rule does not match any packets.

    I am not sure it is going to be possible to generate rules to do what you want … You'd need to turn this automatic rule off, add corresponding rules manually but match ESTABLISHED and RELATED states separately and make sure you accept packets in RELATED state after they get classified in the mangle table. Its too complicated.

    tc can do classification on its own, see here:  http://lartc.org/howto/lartc.qdisc.filters.html  It may make sense to use this feature rather than try to do classification in the firewall rules.

     
  • fourat
    fourat
    2011-11-15

    Thank you !
    And yes, it's way too complicated to do it through fwbuilder .. am fallbacking to tc anyway .. :)